From 835c6345edbf4ff72e64d4d52622ecdfa4c3beab Mon Sep 17 00:00:00 2001 From: Sage Date: Mon, 20 Apr 2026 10:35:13 +0000 Subject: [PATCH 1/2] Add readonly perms --- modules/home/terminal/opencode/default.nix | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/modules/home/terminal/opencode/default.nix b/modules/home/terminal/opencode/default.nix index b1e928f..1fa74cc 100644 --- a/modules/home/terminal/opencode/default.nix +++ b/modules/home/terminal/opencode/default.nix @@ -33,12 +33,37 @@ "permission" = { "bash" = { "*" = "ask"; + "*>*" = "ask"; "rm *" = "deny"; "rmdir *" = "deny"; "unlink *" = "deny"; "*rm *" = "ask"; "*rmdir *" = "ask"; "*unlink *" = "ask"; + "awk *>*" = "ask"; + "*-exec*" = "ask"; + "git status" = "allow"; + "git log" = "allow"; + "git diff" = "allow"; + "git show" = "allow"; + "ls *" = "allow"; + "head *" = "allow"; + "tail *" = "allow"; + "sort *" = "allow"; + "uniq *" = "allow"; + "grep *" = "allow"; + "find *" = "allow"; + "rg *" = "allow"; + "fd *" = "allow"; + "cat *" = "allow"; + "wc *" = "allow"; + "jq *" = "allow"; + "file *" = "allow"; + "diff *" = "allow"; + "awk *" = "allow"; + "pwd *" = "allow"; + "cut *" = "allow"; + "tr *" = "allow"; }; }; }; From 68d5cac1be18d8fba6de41a30bb5c1595187805e Mon Sep 17 00:00:00 2001 From: Sage Date: Mon, 20 Apr 2026 10:41:21 +0000 Subject: [PATCH 2/2] Update nix --- _sources/generated.json | 18 ++++++------ _sources/generated.nix | 18 ++++++------ flake.lock | 54 +++++++++++++++++----------------- modules/nixos/impermanence.nix | 13 +++++--- 4 files changed, 54 insertions(+), 49 deletions(-) diff --git a/_sources/generated.json b/_sources/generated.json index e8ba227..1505074 100644 --- a/_sources/generated.json +++ b/_sources/generated.json @@ -13,12 +13,12 @@ "name": null, "owner": "hackthedev", "repo": "dcts-client-shipping", - "rev": "v2.5", - "sha256": "sha256-fmU/rUIyHV/+GSgDuot3mDaZrYmxfhF3RXSAwE6HqPU=", + "rev": "v3.3", + "sha256": "sha256-Xq3xCeRNB5wNHz1cMxk540xl7Zz3DPdk79Yz1zHsEfU=", "sparseCheckout": [], "type": "github" }, - "version": "v2.5" + "version": "v3.3" }, "mender-cli": { "cargoLock": null, @@ -231,11 +231,11 @@ "passthru": null, "pinned": false, "src": { - "sha256": "sha256-6Qh5hcXM886OiOpcg73EU35kvnyvTtyJ1+7CSPzBsSA=", + "sha256": "sha256-DttSpfkjiYnTlnzzd87Rc/eLTJ+MyZzFIfsnhf0UKg8=", "type": "tarball", - "url": "https://thunderstore.io/package/download/ValheimModding/Jotunn/2.28.0/" + "url": "https://thunderstore.io/package/download/ValheimModding/Jotunn/2.29.0/" }, - "version": "2.28.0" + "version": "2.29.0" }, "valheim.jsondotnet": { "cargoLock": null, @@ -315,11 +315,11 @@ "passthru": null, "pinned": false, "src": { - "sha256": "sha256-A7WIMjNkkZoUD9xf5gswOv00/4j/NGkE+yD4gM+bAsY=", + "sha256": "sha256-XRS4WX2B35oEt4kyg/d9ZehkVBqDCheu1ZpoCE0txrQ=", "type": "tarball", - "url": "https://thunderstore.io/package/download/Advize/PlantEasily/2.1.0/" + "url": "https://thunderstore.io/package/download/Advize/PlantEasily/2.1.1/" }, - "version": "2.1.0" + "version": "2.1.1" }, "valheim.quickteleport": { "cargoLock": null, diff --git a/_sources/generated.nix b/_sources/generated.nix index 0c44cb5..63053fb 100644 --- a/_sources/generated.nix +++ b/_sources/generated.nix @@ -8,13 +8,13 @@ { dcts-client-shipping = { pname = "dcts-client-shipping"; - version = "v2.5"; + version = "v3.3"; src = fetchFromGitHub { owner = "hackthedev"; repo = "dcts-client-shipping"; - rev = "v2.5"; + rev = "v3.3"; fetchSubmodules = false; - sha256 = "sha256-fmU/rUIyHV/+GSgDuot3mDaZrYmxfhF3RXSAwE6HqPU="; + sha256 = "sha256-Xq3xCeRNB5wNHz1cMxk540xl7Zz3DPdk79Yz1zHsEfU="; }; }; mender-cli = { @@ -135,10 +135,10 @@ }; "valheim.jotunn" = { pname = "valheim.jotunn"; - version = "2.28.0"; + version = "2.29.0"; src = fetchTarball { - url = "https://thunderstore.io/package/download/ValheimModding/Jotunn/2.28.0/"; - sha256 = "sha256-6Qh5hcXM886OiOpcg73EU35kvnyvTtyJ1+7CSPzBsSA="; + url = "https://thunderstore.io/package/download/ValheimModding/Jotunn/2.29.0/"; + sha256 = "sha256-DttSpfkjiYnTlnzzd87Rc/eLTJ+MyZzFIfsnhf0UKg8="; }; }; "valheim.jsondotnet" = { @@ -183,10 +183,10 @@ }; "valheim.planteasily" = { pname = "valheim.planteasily"; - version = "2.1.0"; + version = "2.1.1"; src = fetchTarball { - url = "https://thunderstore.io/package/download/Advize/PlantEasily/2.1.0/"; - sha256 = "sha256-A7WIMjNkkZoUD9xf5gswOv00/4j/NGkE+yD4gM+bAsY="; + url = "https://thunderstore.io/package/download/Advize/PlantEasily/2.1.1/"; + sha256 = "sha256-XRS4WX2B35oEt4kyg/d9ZehkVBqDCheu1ZpoCE0txrQ="; }; }; "valheim.quickteleport" = { diff --git a/flake.lock b/flake.lock index ab40dea..6544b6a 100644 --- a/flake.lock +++ b/flake.lock @@ -231,11 +231,11 @@ ] }, "locked": { - "lastModified": 1776046499, - "narHash": "sha256-Wzc4nn07/0RL21ypPHRzNDQZcjhIC8LaYo7QJQjM5T4=", + "lastModified": 1776661682, + "narHash": "sha256-X32LTSDqUdVqMy85WYdRgyt0I75wc4Lhi9j+lrCDR8w=", "owner": "nix-community", "repo": "home-manager", - "rev": "287f84846c1eb3b72c986f5f6bebcff0bd67440d", + "rev": "4bfce11ea820df0359f73736fd59c7e8f53641a6", "type": "github" }, "original": { @@ -273,11 +273,11 @@ ] }, "locked": { - "lastModified": 1774991950, - "narHash": "sha256-kScKj3qJDIWuN9/6PMmgy5esrTUkYinrO5VvILik/zw=", + "lastModified": 1776184304, + "narHash": "sha256-No6QGBmIv5ChiwKCcbkxjdEQ/RO2ZS1gD7SFy6EZ7rc=", "owner": "nix-community", "repo": "home-manager", - "rev": "f2d3e04e278422c7379e067e323734f3e8c585a7", + "rev": "3c7524c68348ef79ce48308e0978611a050089b2", "type": "github" }, "original": { @@ -353,11 +353,11 @@ ] }, "locked": { - "lastModified": 1774613805, - "narHash": "sha256-SP8U4AhZbNaoQtZGAzVIkw56pOObacxcArqPNjc3FQc=", + "lastModified": 1776242217, + "narHash": "sha256-TRts0fKUPFcf1i6rZHFGUDTfti/x3oKEg/CqsPRpSgs=", "owner": "thiagokokada", "repo": "nix-alien", - "rev": "406827a0064e940578c18be868198aa06f443792", + "rev": "4c5e52dda0d6ab3de814e364046769321d3e1021", "type": "github" }, "original": { @@ -390,11 +390,11 @@ ] }, "locked": { - "lastModified": 1773550613, - "narHash": "sha256-G0xzE48epaG6qOiByH+gV4rFcpbnnTbOHgUFITK0oX8=", + "lastModified": 1775970782, + "narHash": "sha256-7jt9Vpm48Yy5yAWigYpde+HxtYEpEuyzIQJF4VYehhk=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "7cd5322ed4a2bf68f9111b27b89249501a62854c", + "rev": "bedba5989b04614fc598af9633033b95a937933f", "type": "github" }, "original": { @@ -427,11 +427,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775710090, - "narHash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=", + "lastModified": 1776169885, + "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4c1018dae018162ec878d42fec712642d214fdfa", + "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", "type": "github" }, "original": { @@ -478,11 +478,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1775892726, - "narHash": "sha256-1TK1pe33cEHNvGW41TP5xAzrbG1Gp7LfyFL6c3+xf+I=", + "lastModified": 1776630589, + "narHash": "sha256-Ty/cyZ8tnxYliznpVG1ntziWaTfUAROHkHFR8k+p5j4=", "owner": "NotAShelf", "repo": "nvf", - "rev": "5ab359ee7dfd3fa09a5c6f863efaf810bb9a9436", + "rev": "cd9c79b8cd012beaba818df713a0e0ea632b74a3", "type": "github" }, "original": { @@ -513,11 +513,11 @@ ] }, "locked": { - "lastModified": 1775971308, - "narHash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=", + "lastModified": 1776119890, + "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "31ac5fe5d015f76b54058c69fcaebb66a55871a4", + "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd", "type": "github" }, "original": { @@ -567,11 +567,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1775936757, - "narHash": "sha256-KJO/7qoxJ+hlsb3WlFSl6IGrExBIf1GvKdrhOlnGdKY=", + "lastModified": 1776170745, + "narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=", "owner": "danth", "repo": "stylix", - "rev": "d3e447786b74d62c75f665e17cb3e681c66e90c7", + "rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9", "type": "github" }, "original": { @@ -718,11 +718,11 @@ ] }, "locked": { - "lastModified": 1775961625, - "narHash": "sha256-8SjilptVv9dSTvn0Z5j65vHHu+flmPXeyrGaSyRJm7U=", + "lastModified": 1776663782, + "narHash": "sha256-qzBBuxZbn7vPD9ZDl3xmCBGa6qEc8Q//76Cbx4W0tE4=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "0eaab249f5ca1c55921e99cfe07187410758c9fa", + "rev": "b93be06dc91630bf0ced69c54d0e1e05e56ae460", "type": "github" }, "original": { diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 2b65dc8..bc4f284 100644 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -13,10 +13,14 @@ with lib; { files = ["/var/lib/sops-nix/key.txt" "/etc/machine-id"]; }; - boot.initrd.postResumeCommands = - lib.mkAfter # sh - - '' + boot.initrd.systemd.services.rollback = { + description = "Roll back root btrfs subvolume"; + wantedBy = ["initrd.target"]; + after = ["cryptsetup.target"]; + before = ["sysroot.mount"]; + unitConfig.DefaultDependencies = "no"; + serviceConfig.Type = "oneshot"; + script = '' mkdir /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp if [[ -e /btrfs_tmp/root ]]; then @@ -40,5 +44,6 @@ with lib; { btrfs subvolume create /btrfs_tmp/root umount /btrfs_tmp ''; + }; }; }